Skip to main content

X-Content-Type-Options

Description

The Anti-MIME-Sniffing header X-Content-Type-Options is missing or not set to nosniff. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

Remediation

Ensure that the application/web server sets the Content-Type header appropriately and that it sets the X-Content-Type-Options header to nosniff for all web pages. If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all or that can be directed by the web application/web server to not perform MIME-sniffing.

GraphQL Specific

Apollo

To mitigate the risk of MIME type sniffing attacks in the Apollo framework engine, set the 'X-Content-Type-Options' header to 'nosniff' for all responses served by the server. This can be achieved by configuring the server middleware to include this header, ensuring that browsers adhere to the declared content type as specified by the 'Content-Type' header.

Yoga

To mitigate the risk of MIME type sniffing attacks in the Yoga framework engine, ensure that the 'X-Content-Type-Options' header is set to 'nosniff' for all responses served by the server. This can typically be achieved by configuring the server settings or by including a middleware that sets this header appropriately for each outgoing response.

Awsappsync

To mitigate the risk of MIME type sniffing which can lead to security vulnerabilities, it is recommended to set the 'X-Content-Type-Options' header to 'nosniff' in all responses served by your AWS AppSync API. This can be achieved by configuring your resolvers or using a Lambda function to set the header on HTTP responses. Ensure that your API's integration responses include the header 'X-Content-Type-Options: nosniff' to instruct browsers to strictly adhere to the declared content type.

Graphqlgo

Set the 'X-Content-Type-Options' header to 'nosniff' in the GraphQL Go framework engine to prevent MIME type sniffing.

Graphqlruby

Set the 'X-Content-Type-Options' header to 'nosniff' in the response to prevent MIME type sniffing.

Hasura

Set the 'X-Content-Type-Options' header to 'nosniff' in the Hasura engine's response headers to prevent MIME type sniffing.

REST Specific

Asp_net

In ASP.NET, ensure that all responses sent from the server include the 'X-Content-Type-Options' HTTP header with the value 'nosniff'. This can be achieved by adding a custom HTTP header in the web.config file or by setting the header directly in your application's response headers. 'nosniff'); to your application's response pipeline.

Ruby_on_rails

In Ruby on Rails, set the 'X-Content-Type-Options' header to 'nosniff' in your application's configuration. Add 'config.action_dispatch.default_headers.merge!({'X-Content-Type-Options' => 'nosniff'})' to 'config/application.rb' or use 'response.headers['X-Content-Type-Options'] = 'nosniff'' in your controllers to prevent MIME-sniffing vulnerabilities.

Next_js

In your Next.js application, ensure that the X-Content-Type-Options header is set to nosniff for all responses. You can achieve this by customizing the server configuration or by using middleware in the API routes to set the header appropriately. For example, you can add a custom server middleware that sets the header like so: res.setHeader('X-Content-Type-Options', 'nosniff'); for each incoming request.

Laravel

In Laravel, set the 'X-Content-Type-Options' header to 'nosniff' for all responses by adding 'Header set X-Content-Type-Options "nosniff"' to your web server's configuration or by using middleware to include it in the HTTP response headers.

Express_js

In Express.js, ensure that the 'X-Content-Type-Options' header is set to 'nosniff' for all responses. This can be achieved by using the helmet middleware, which can be installed via npm and included in your application as follows: const helmet = require('helmet'); app.use(helmet.noSniff());

Django

In your Django application, ensure that the 'X-Content-Type-Options' header is set to 'nosniff' for all responses. This can be achieved by using the 'SecurityMiddleware' provided by Django, which sets this header by default. To enable the middleware, add 'django.middleware.security.SecurityMiddleware' to the 'MIDDLEWARE' setting in your settings.py file. If you have custom response handling, you can also set the header manually by adding 'response['X-Content-Type-Options'] = 'nosniff'' to your HttpResponse objects.

Symfony

In Symfony, ensure that the 'X-Content-Type-Options' header is set to 'nosniff' for all responses. This can be achieved by adding a response header in your controller or by using an event listener to set the header globally. For example, in your controller, you can use ' extbackslash Symfony extbackslash Component extbackslash HttpFoundation extbackslash Response' to set the header like so: ' extbackslash$ response->headers->set('X-Content-Type-Options', 'nosniff');'. Alternatively, create an event listener for 'kernel.response' and set the header for each response sent by the application.

Spring_boot

In Spring Boot applications, ensure that the 'X-Content-Type-Options' header is set to 'nosniff' for all responses. This can be achieved by configuring the security headers in the SecurityConfig class using the HttpSecurity object, or by implementing a custom filter that adds this header to every response.

Flask

In Flask, set the 'X-Content-Type-Options' header to 'nosniff' for all responses by adding the following line to your view functions or by using a response middleware: 'response.headers['X-Content-Type-Options'] = 'nosniff'.

Nuxt

In your Nuxt.js application, ensure that the X-Content-Type-Options header is set to nosniff for all responses. You can achieve this by using the @nuxtjs/helmet module, which sets security-related headers. After installing the module, add '@nuxtjs/helmet' to the modules section of your nuxt.config.js file, and configure it to include the X-Content-Type-Options header by setting helmet: { contentSecurityPolicy: false, xContentTypeOptions: 'nosniff' } in the same file.

Fastapi

In FastAPI, ensure that all responses include the 'X-Content-Type-Options' header with the value 'nosniff'. This can be achieved by using FastAPI's middleware to add this header to all outgoing responses. For example, you can create a middleware function that sets the 'X-Content-Type-Options' header to 'nosniff' and add it to your FastAPI application instance using the 'app.add_middleware' method.

Configuration

Identifier: protocol/header_x_content_type_options

Examples

Ignore this check

checks:
  protocol/header_x_content_type_options:
    skip: true

Score

  • Escape Severity: LOW

Compliance

  • OWASP: API7:2023
  • pci: 6.5.10
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-4

Classification

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 5.1